The political science of cybersecurity V: Why running hackers through the FBI really isn’t a good idea

One of the most difficult challenges of cybersecurity is that it enables private actors to play a significant role in international security. Both security officials and international relations scholars tend to assume that states are the most important security actors. With a couple of minor exceptions (mercenary forces and the like) private actors simply don’t have the firepower to play a substantial role. Even terrorist groups with international ambitions usually require some kind of state to provide them with safe haven or to back them. Many (although certainly not all) experts argue that cybersecurity is different. Computers and Internet access are all that you need to carry out many kinds of attack, allowing private actors to become a real force in international cyber politics.

This potentially presents two problems for traditional understandings of international security. First, many argue that the world will be less stable if private actors can affect international security. For example, Joseph Nye, a prominent scholar and former policymaker, argues (PDF) that states have not been displaced by private actors in cybersecurity, but now have to share the stage with them. This creates greater volatility in world politics. The more actors there are, the greater the chance of unpredictable accidents, events, attacks or misunderstandings. Furthermore, private actors may have widely varying motivations and be more difficult to discipline. They are less likely to be concerned with the stability of the international system than states are.

There is also a more subtle problem. The existence of empowered private actors in cybersecurity presents temptations to states. It is easier for states to attack other states while blaming hackers, rogue elements or others for the attacks, thus making retaliation less likely. In cyberspace, it is often hard to figure out who precisely is responsible for an attack. These problems are multiplied when states can e.g. use clandestine relationships with private actors to carry out attacks by proxy.

For example, there is still vigorous debate over whether or not the Russian state mounted cyber attacks on Georgia during a dispute a few years ago. Certainly, the major attacks appear to have been mounted from within Russia. However, Ron Deibert, Rahal Rohozinski and Masashi Crete-Nishihata argue (paywalled) that the likely perpetrators were patriotic Russian cyber criminals (who had already created “botnets” of compromised computers for purely criminal attacks) rather than the Russian state itself. While it is possible that the Russian state (some elements of which maintain clandestine contact with the Russian underworld) was using these criminal networks as a cutout to blur responsibility, it is nearly impossible to prove one way or another.

This has led some experts to call for new norms about responsibility. Jason Healey of the Atlantic Council proposes a sliding scale under which states would effectively be required to take responsibility for any major attacks organized from their territory or carried out by their citizens. This would change the incentives, so that states would both be less inclined to cheat by acting through hidden proxies, and more inclined to tidy up rogue elements on their territory that might mount international attacks and land them in hot water. They suggest that the best way for the U.S. to protect its national security interest is to push for such norms.

In this context, yesterday’s New York Times story about the relationship between the FBI and the loosely-knit hacker culture/collective Anonymous raises some problems. The FBI identified a key Anonymous member, Sabu, and turned him so as to identify other hackers. Sabu then appears to have shared a list of foreign Web sites (including sites run by the governments of Iran, Syria, Poland, Turkey, Brazil and Pakistan) with vulnerabilities, and encouraged his colleagues to try to hack into them, uploading data to a server monitored by the FBI.

The Times says it is unclear whether he was doing so on direct orders from his FBI handlers. It is also unclear what happened to the information after it was uploaded (the Times raises the possibility that it was shared with other intelligence agencies, but it may have been left there to sit as evidence). Either way, this report is sure to be interpreted by other countries (including U.S. allies like Poland and Turkey) as strong circumstantial evidence that the U.S. has used independent hackers to conduct attacks in the past, and very possibly is doing so at present.

This obviously makes it harder for the U.S. to push for the kinds of norms that Healey and others advocate. If the U.S. appears to have dirty hands, it will have a more difficult time getting other states to believe in the purity of its actions and intentions. U.S. allies will be disinclined to believe its protestations. Countries that are more or less hostile to the U.S., and which have dubious relations with their own hacking community (such as Russia), are sure to point to the FBI’s decision to run Sabu as evidence of U.S. hypocrisy if the U.S. tries to get them to take responsibility for attacks mounted from their soil.

This will also have consequences if and when U.S. hackers (who are smart, talented and sometimes politically motivated) mount a successful public attack on a target in a third country. The U.S. administration will likely come under sustained suspicion as the hidden culprit behind such an attack, even if it has had absolutely nothing to do with it. Apparent past history will guide other states’ judgment (especially if these other states themselves have clandestine but systematic relationships with hackers, and assume that countries do the same). It’s doubtful that these issues of international policy were foremost in the thoughts of FBI officials when they decided to run Sabu (the FBI is a domestically focused agency, primarily concerned with criminal enforcement). Even so, their decisions may turn out to have important, and likely unfortunate, international ramifications.